Thursday, December 10, 2015

Policy wonks aren't computer experts

This Politico story polls "cybersecurity experts" on a range of issues. But they weren't experts, they were mostly policy wonks and politicians. Almost none of them have ever configured a firewall, wrote some code, exploited SQL injection, analyzed a compromise, or in any other way have any technical expertise in cybersecurity. It's like polling a group of "medical experts", none of which has a degree in medicine, or having a "council of economic advisers", consisting of nobody with economics degrees, but instead representatives from labor unions and corporations.

As an expert, a real expert, I thought I'd answer the questions in the poll. After each question, I'll post my answer (yes/no), the percentage from the Politico poll of those agreeing with me, and then a discussion.

Should the government mandate minimum cybersecurity requirements for private-sector firms?

No (39%). This question is biased because they asked policy wonks, most of which will answer "yes" to any question "should government mandate". It's also biases because if you ask anybody involved in X if we need more X, they'll say "yes", regardless of the subject you are talking about.

But the best answer is "no", for three reasons.

Firstly, we experts don't know what "minimum requirements" should be. The most common attacks on the Internet are SQL injection, phishing, and password reuse. We experts don't know how to solve these problems. Even if everyone followed minimum requirements, it wouldn't make a difference in hacking.

Secondly, "requirements" have a huge cost. The government already has a mandate for minimum requirements for government products, called "Common Criteria". It costs millions of dollars to get a product certified and make no difference in cybersecurity.

Finally, it would kill innovation. The industry is in a headlong rush to "IoT", the "Internet of Things", where every device in your home, including hair driers and Barbie dolls, are Internet enabled. I'll be at the forefront pointing out the laughable security in these devices, and how they easily allow hackers into your home. But to force innovation to halt for the next decade while they addressed cybersecurity instead would be a travesty. A better model is for them to ship crap first, for us in the industry to laugh and mock them for their obvious bugs, and for them to fix it later.

Should companies provide a "back door" for law enforcement to gain access to a program or computer?No (85%). This one is a no brainer. Even the most pro-law-enforcement among us recognize the problems with this one.

If passed, would the cybersecurity legislation under negotiation result in the appreciable reduction in cyber breaches of U.S. firms?No (74%). This one surprised me, since most of the responses are from Washington D.C. policy wonks. But then the truth of CISA is that nobody cares whether it actually works -- they want it firstly so that they appear to be addressing the problem, and secondly as a platform to stick amendments onto.

If passed, would the cybersecurity legislation under negotiation present a significant loss of privacy for Americans?Yes (35%). Sadly, I'm in the minority. The reason is that policy wonks believe that the intention of CISA isn't to invade privacy, so they'll answer "no". However, privacy invasion is an unintended consequence of information sharing, which is why privacy advocates answer "yes".

Do you expect a major cyberattack against U.S. critical infrastructure to occur within the ...Century (0%). The only choices they gave were Next year (9%), Net five years (48%), and Next decade (43%). They are all morons. It's roughly the same answer "experts" have been giving for the last 15 years, which has shown that they've been consistently wrong.

Hacking into a power company and causing a blackout is deceptively easy. A lot of these people are privy to "pen test" reports showing how hackers easily broke into a power grid and put their virtual fingers on the proverbial button to turn off the power.

But just because it's possible doesn't mean that people will do it. It's equally possible for Al Qaeda, the North Koreans, or the French to send sleeper agents into the United States to create explosives from off-the-shelf ingredients, and then bomb key power distribution points to cause mass blackouts throughout the country. Attacking the grid with cyber is easy, but attacking it "kinetically" is still even easier. I've done pentests of the power grid. If you hired me to cause mass blackouts, I'd predominantly use explosives.

The biggest issue, though, is that the United States critical infrastructure is incredibly diverse, involving 10,000 different companies. Small, temporary blackouts are easy, but a "major" blackout affecting a large part of the grid is impractical, at least, unless you spent many years on the problem.

Eventually something might happen. But what we'll see is a range of minor attacks against critical infrastructure long before we see a major attack. Those minor attacks haven't happened yet, and until they do, we shouldn't get worried about it.

Does working for the U.S. government now mean accepting that your personal information will be accessed by foreign governments?Yes (77%), but really, it's always been this way. Throughout the cold war, the biggest thing spies did was figure out everyone working for foreign intelligence agencies. It's always been known that if you get clearance, you get put on a list that our adversaries (Russia, China, the French) would know about, meaning that even casually traveling to those countries as a tourist might get your hotel room bugged.

The OPM breach changes none of this. I suspect the OPM breach was by much lower level hackers, and they are finding it hard selling the information because all the potential buyers already have it.

Should the U.S. government pardon Edward Snowden?No (91%), but not for the reasons you think.

I'm on the side who thinks Snowden is a hero. However, breaking your word should have consequences. I'd like to think given the same situation as Snowden, I'd've leaked that Verizon court order, but I would have stayed to face the consequences and go to jail.

Anybody in government who has taken solemn oaths (especially the military) is likely to agree with me, regardless of what they think about mass surveillance.

Is cybersecurity over-hyped as a problem?Yes (19%), of course it is. It's obvious the Internet is secure enough, or people wouldn't be putting everything on the Internet. No matter the costs of hacking/insecurity, they are less than the benefits of the Internet.

For example, credit card fraud is the biggest cybersecurity problem today, but is so small that we get "cash back" from credit cards, because the amount of fraud is still less than the fees they charge designed to compensate for fraud.

Of course, this question has the same biases I mentioned above. If you ask anybody involved in X if the public needs more awareness of X, they'll almost always say "yes".

Has the U.S. military been too hesitant to conduct offensive cyber operations?No (77%). The other 23% say "yes" because they've seen situations where we could've, but didn't.

But "no" is the right answer. By itself, the mass global cyber surveillance uncovered by Snowden is evidence that we are the most aggressive actor in cyberspace. But beyond surveillance, we have a very active program of cyber-offensive.

Will we reach an agreement on international rules of the road in cyberspace?Blerg (0%). That's sort of a nonsense question. Will we reach agreements? Yes. That's the sort of thing politicians do. Will they have any meaning? any teeth? Will countries abide by them? Probably not.

We've already one instance, the Wassenaar agreement controlling "cyber weapons", and it's turning out horribly, not what anybody expected.

Are U.S. government officials too hesitant to publicly attribute cyberattacks to other countries?No (39%). The reason policy wonks answer "yes" is that they can point to examples where the government was hesitant, such as that DDoS attack against GitHub that was clearly by the Chinese government.

But at the same time, we can point to many opposite cases where the government is too eager to attribute attacks to other countries, such as the Sony hack attributed to North Korea.

It's hard to say which happens more often, but in my experience, attacks that are legitimate from "other countries" aren't actually directed by those countries. Government foster an environment that makes attacking the U.S. easy, but don't actually direct the attacks.

It's like the terrorist attacks in Paris and San Bernadino. ISIS claims credit, but it's unclear how much was directed and supported by ISIS, and how much the attacks were planned by locals in ISIS's name. In much the same way, there are lots of cyberattacks from China and Russia against the United States, but I'm not sure how much they are directed by their respective governments.

Is the no-commercial cyberspying agreement between President Barack Obama and chinese President Xi Jinping likely to lead to a reduction in economic hacking by China?No (60%). At most, it'll stop the direct attacks from the Chinese Army, but hacking is rife in Chinese society, so I'm not sure how much that will stop. On the other hand, information about who in society is hacking percolates up the food chain, so it's possible that the central government could crack down on those hackers if it wants. I imagine a situation where there's this hacker who has been living in a mansion for a decade, selling secret's he's hacked with collusion from Chinese officials, to be surprised by the secret police showing up one day and arresting him.